Qualys, Inc. (QLYS) Earnings Call Transcript & Summary

Okay. Great. Well, good evening, everybody. My name is Hamza Fodderwala. I'm the cybersecurity analyst here at Morgan Stanley. And this afternoon, rather, we have the team from Qualys. We have Sumedh Thakar, the CEO; as well as Joo Mi Kim, the CFO. Thank you so much for joining.

Thanks, Hamza.

Yes. And before I begin, just a brief programming note. For important disclosures, please see the Morgan Stanley research disclosures website at www.morganstanley.com/researchdisclosures.

With that, I want to begin, Sumedh, with a recap of '21. So top line growth accelerated throughout the year, much better than we expected, and it seems like you have line of sight into 20% revenue growth again. If you could break it down to 3 factors that drove that acceleration, what would you attribute it to? And what gives you confidence that these trends will be durable heading into '22?

Yes. I think -- thanks for the question. We're quite excited about where we are and what we've been able to achieve in 2021. I think we started at 10% to 11% that we were guiding to and then ended the year at 13% and then guiding 2022 to a good strong growth. I think -- and what is also very interesting and encouraging for us is to see that, that inflection point is ahead of the investments that we're planning to make this year. And so I think a lot of that really has to do with, as we went about rebuilding our management team, bringing in a Chief Revenue Officer that we did not have before to really put a focus on sales and then lining up marketing investment or other marketing leadership behind that, working with our sales team for better execution and focused execution. So having a CRO who was working continuously with them, something that we've not had in the past where there was a complete sales-focused leadership. And obviously, the key part there for us is that the product, VMDR, that we have brought into the market a couple of years ago really is resonating with customers in current market, where in the environment that we are in where fixing these vulnerabilities is extremely critical in a quick period of time given the speed at which attacks have been coming. So the fact that VMDR actually provides that end-to-end workflow of asset inventory, vulnerability detection, prioritization and ability to fix things quick are resonating with our customers. So as our technical account managers, salespeople were able to engage with customers and talk about the story that resonated well with them and which led to customers really looking at and doing the upsells and doing what they were doing with us meaningfully. And that gives us really, excitement to say that, "Hey, when we engage with our customers with the right approach, with the right training for our sales team, that it is leading to that upsell that we're looking for." And then also as we continue to focus on new business growth, which is an area that we're really looking for. Now we're investing broadly across the board, including product management, et cetera, to sort of line up behind the go-to-market, but I think I would say that those are some of the factors that we see that are encouraging for us, that being able to see that acceleration before we get into the investment certainly is encouraging.

Yes. I definitely want to get into some of the operational improvements. But just on the demand environment, it seems like it's stronger than it's been in several years. You had the Log4j incident, which, generally, I would say, should be a tailwind for the vulnerability management space. And then you have the rising potential of state-sponsored cyber attacks with the Russia-Ukraine tensions. I'm curious on both Log4j seems to be something that you probably hear from customers already and then obviously the latter. How would you assess the temperature in the room when you talk to executives on the demand for your type of solution given these events?

Yes. I think we talk about Log4j and the Ukraine thing because it's in the last couple of weeks, but I think if you go back the last couple of years, there's been multiple events with ransomware was a big focus 6 months ago. Before that, it was SolarWinds, and I think that has been building towards that prevention as a focus for customers, really. So when we talk to customers, they are really looking to say, "The speed at which things are being weaponized and I'm being attacked is increasing. And so how do I get out of the traditional mold of how we have been doing a different tool for knowing my inventory, a different tool for assessing vulnerabilities, a different thing for prioritization and then patching, which the silos have been taking a lot of time?" So as we spoke to customers and as we talk to them about VMDR reducing their time, I think really that has been encouraging for us to hear that customers are looking for that ability to fix things quicker. And if you really go back, as an example, to around ransomware or Log4Shell, and I'll come to that separately, but the -- if you look at, for example, what CISA has been talking about, right, around every time something like that happen, the guidance really ends -- tends to be the same in terms of, "Hey, know your assets. Patch these most exploitable vulnerabilities that are prescriptive about that." And the thing they talk about is patch them, right? Fix them. You need it. In some cases, they're putting on mandates for agencies saying, "Within 2 weeks, you need to patch this particular vulnerability that's been exploited." So that focus on remediation. So no matter what kind of vulnerability issue is coming up, it releases again, it's going back to the basics of let's make sure we know our assets and have a full visibility. Let's make sure that we know the end of life. Let's make sure that we're able to look at the vulnerabilities and fix them. Now what was really interesting that we saw with Log4Shell and in our conversations with the customers that this was so widespread and just the traditional scanning solution based on vulnerability scanning was not enough in cases for them to find that because Log4Shell was embedded in applications that third-party vendors also provided. So the first question that everybody has was where are these applications installed, which again goes back to the remediation and the visibility for Log4Shell started with the inventory and knowing where these applications are and then getting into where do I have my own Log4Shell installed on the devices and then getting into how do I patch and fix these much quicker, right? And I think that's, again, highlighted that the ability to have the inventory capability of -- along with your vulnerability solution really starts to become quite important for our customers.

Yes. You hit on an important topic there. It seems to us that there is a bit of a shift in the market from perhaps a tactical offensive security stuff like your EDR, perhaps, towards a more strategic defensive posture. Maybe that includes your network security, vulnerability management. But asset discovery a lot of times gets lost in that. Can you talk a little bit about the importance of asset discovery, especially as we move to more cloud, more heterogeneous computing environment?

Yes. I think you hit upon 3 key topics there, right? I think if you talk to any security professional, at the high level, they're trying to do 3 things. They want to know what they have in their environment. They want to do everything to mitigate the risk to that asset. And then they want to be able to monitor them for threat and prevent or remediate those threats. And so your EDR and XDR solutions that come in that last bucket, and that's really good that the technology is able to stop an attacker when they're on the box. But if your -- if the attacker is on your box, which means you have mitigation and your risk management steps along the way have failed, that, that attacker was actually able to get on to the box, right? And so the ability -- when we look at that is the 3 pillars with our cybersecurity asset management really focusing on inventory. Second is having vulnerability management, IAC scanning, CICD, shift left patching, configuration mitigation, all of the comps in the risk management, right? So if customers can really focus on reducing the risk of somebody getting on in the box, then your EDR solution is important to monitor, but then your risk mitigation steps take an important effect. Now the question is, when you are looking at risk for your organization, how do you quantify that? Or even how do you start to know where you need to measure that? And that's why that asset management piece has been broken for a long time in terms of customers just not having the visibility into what assets they have, especially in the hybrid environment. People went remote with taking a laptop at home. So the traditional tools that organizations used to have to know what is on the network would disappear, and CMDBs have really been broken because they have not really been updated on a regular basis. So listening to a lot of feedback from our customers, we really focused on creating a asset discovery and asset inventory capability and helping our customers first start off by detecting their assets, whether they are in the cloud, whether they're on-prem, whether they are at the home environment and keeping an up-to-date track of those assets. And then we evolved that capability into sort of that step-zero securities, just knowing what is your technical depth, right? Are you running end-of-life software in your environment, right? So even before you get into risk mitigation with vulnerability management, just sort of knowing the mix of what you have, how much of it is old, how much of it is outdated, and that has been very well received by our customers. That launch of cybersecurity asset management capability that we did in the middle of last year, we have seen very, very good feedback coming from customers as they have been adding that as an add-on to VMDR along with patching in certain cases.

Got it. Joo Mi, maybe a question on margins to bring you into the conversation. So you said 2022 was going to be another investment year, and it seems like you're embedding a lot in that guidance in terms of implied OpEx growth. What matters more? Is it getting back to 20% revenue growth or maintaining 40% EBITDA margin even longer term?

I think that right now, how we're looking at the business, we are focused on the growth acceleration. And so going back to 2017, I think we had a similar conversation where we were the #1 in the market. We were accelerating growth beyond 20%, and we had EBITDA margin of about 35%. And we had talked about [ rule of 60 ] at our Analyst Day in terms of our long-term targets. That hasn't changed. So if you take a look at our history in the last couple of years, we've decelerated on the revenue, and then we've continued to expand on the margin. Ending Q4 at 45%, I think that we definitely see opportunity to reinvest into the business. So to accelerate the momentum where you're seeing the revenue growth at 13% last year and our guidance for this year at the midpoint is 18% already. And so in order to ensure that we continue this momentum, we plan to reinvest into the business. What our 2022 guidance implies is EBITDA margin in the high 30s, which is great for us because we're really thinking about 2023 and beyond.

Yes. When you think about the long-term margin, though, has your thinking changed around, hey, if I want to compete in this market and it's the big market, and we want to continue growing 20% or 15% to 20% even, does that change your view on the longer-term terminal profitability of this business?

Not necessarily because nothing has changed. Our fundamentals remain strong. Our business model is still the same where approximately 60% of our business is direct, and 40% is indirect. And so last year, what we had said was, we don't see a reason why we -- our profitability would need to dip below that 40 percentage range. With that said, the reason why we guided to lower than 40% this year is due to the inflationary pressures. So that we're planning to make some wage adjustments. But excluding that, it would have been above that 40% plus because even that implies a 500 basis point contraction. And so I see that longer term, with our business model, we'll be able to accelerate revenue beyond that 20% while maintaining that 40% margin, but also that's in the outer years.

Yes. You talked a little bit about wage inflation. So if I look at the amount of head count that you added, which you disclosed, it was like, I think, in the single digits, right? You still saw this accelerating top line growth. So you're just now starting to invest. What is embedded in your guidance in terms of head count growth? And is that incremental higher that's coming on? Is that 10%, 20% more expensive a lot of times?

Yes. Great question. In terms of sales and marketing, we ended the year at 308, which is net increase about 10. And so it hasn't been that much. What we're targeting this year is we have multiple different levers in the business. We are planning to increase head count. Our primary focus is then attracting and retaining talent across different functions but with emphasis on sales and marketing. So our goal is to at least minimally double -- grow by double digits this year. If we grow more, that will be great, but if not, the 2022 revenue growth will not materially be impacted because the growth this year is more driven by the investments that we spent last year, right? And so we also are cognizant of the fact that there's a lot that we can do with the partners. We are focusing more on the channel partner side to make sure that we develop a better relationship with them, making sure that we have the right programs in place because it's still -- I think that ballpark is going to be 40% of our business, and that will have a faster acceleration on the growth momentum, if you will, versus going out and hiring new salespeople and ramping them.

Right. And if I can add to that, we're looking at a holistic approach towards the investment. It's not just the sales head count. I think that's one area that we are focusing on. But it's also focusing on digital marketing programs, focusing on product management to help our sales team improve their efficiency with better collateral and material that they can go with. We've talked about solution architecture groups that are helping our sellers with POCs so they can focus more on account management, a focus on new business, hiring reps that are focused more on being able to propose business value and not just the technical value, where we feel like we do a good job in sharing the technical capabilities. So -- and then, of course, broadly investing in our people. So I think overall, we're looking at using multiple levers as well as, as Joo Mi said, the channel partners as well. So it's not just sort of the head count is not the only thing that we're focusing on.

Okay. Got it. So obviously, Qualys has been a very profitable business. Again, 40% close to that on an operating margin basis. When you think about the demand environment, let's say, things slow down, growth seems a little bit weaker than you had thought, what are the levers that you can pull from an OpEx standpoint to perhaps get back to those pre-2022 operating margins?

In addition to sales and marketing, we are working with our CPO to make sure that we have the right product managers in place. And as Sumedh said, there is a lot that we could do in addition to the head count. So for example, making sure that our sales reps are working very closely with the marketing team as well as the solution architects as well as product managers. Because the way we see it is enabling our existing sales force is just as important, if not more important, than onboarding new and adding additional head count because what we've been doing, I think, is we've been doing very well with technical wins. When we're talking about our products and what we can deliver, we've been great at that. I think what we can do better on is making sure that the prospect and existing customers understand the value that we bring to them, right? And so that's where we're focusing on. And if you take a look at last year, the reason that we're confident that we can achieve this and continue this momentum is because ahead of this investment, we were able to achieve that expansion in terms of a net dollar expansion rate going from 103% to 108%, and that's really attributable to the fact that VMDR, we thought that -- we knew that it was very strategic for us. We just didn't know when that would translate into bookings and thereby on revenue as well, and we've seen that happen. That's really due to better execution. We're able to go out there and talk to customers. They recognize the value of VMDR. And so that strengthened our retention rate as well as accelerated.

Yes. And on VMDR, you talked about how the uplift has been net neutral. There are some customers who were perhaps on a single product who moved to VMDR, got an uplift; customers who are multiple products, not as much perhaps, in some cases, a down sell. The strategic initiative here was, hey, if a customer gets on VMDR, their retention rate goes up on a gross basis, it sounds like. What is the difference in the retention rate between a customer that's on VMDR versus a single product or core VM?

Yes. So great question. So when we launched VMDR, it's been a while now already, in 2020, we talked a lot about the pricing of VMDR. So one path that we could have taken was if we wanted an immediate impact on revenue, we could have priced it higher given the value that it brought to the customers. We decided at that time, no, we were really targeting the long-term value and long-term growth. So for that, we needed the customers to quickly adopt. So driving that adoption made us price it such that if you had just VM that year and you converted to VMDR, you would be paying more. However, if you had multiple Qualys products and you converted to VMDR, you might be paying a little bit less with us. So it just happened to be, for 2020, for the customers who converted to VMDR ended up being neutral on the revenue. The following year, our hypothesis was, well, this should translate into when they come up for renewal, higher retention rate and higher upsell, and that should strengthen our market position, and it's turned out to be true. And this is why we were very happy to report that last year, in Q4, that really drove the net dollar expansion rate from 103% to 108%, and that's why the retention is higher as we thought it would be. The customer stayed with us. It is stickier and then the upsell percentage, so that right now, they're having a positive impact on us. And so given that we're planning to really invest in the sales and marketing, it's been working well, the focused execution. We have the right initiatives in place, and it's a matter of executing on that.

Yes. And it sounds like you can go back to that installed base, sell them VMDR, they become stickier with you. Is there also an improvement as far as like the incremental margins that you see from a VMDR customer versus a single customer?

Absolutely. So our gross margin is very high in our contribution margin. If you think about it, we have a very scalable business model. So every time they decide to upsell or cross-sell into other products, it's going to be more profitable for us. The cost of selling, cost of acquiring a new customer is obviously higher than having to upsell and expand. And we've been very successful in upselling, cross-selling our existing products, and we have a ton of opportunity there. With us kind of focusing on both fronts where, this year, we're making sure that we hire enough presales to increase on new logo acquisition, but with that said, that doesn't mean that we're not taking care of our existing customers, especially with newer products. And our 2022 revenue guidance, as we've done historically before, we haven't baked into that guidance the potential upsell, the incremental material impact that it could have from newer products. And that, I think, is -- we know that it will come. It's just the timing is a little bit uncertain.

Got it. Got it. Maybe a question for both of you, but just on the competitive front. I think in the past, you talked about how some of your competitors have done -- have had some pretty aggressive pricing strategies, maybe a bit of a race-to-the-bottom strategy from their end. How do you think about trying to defend against that and making sure the overall ASPs are still fairly healthy when you have these types of competitors?

Yes. I think that's why VMDR was so strategic for us, right? So instead of sort of responding to that with the price war or something like that, we really felt like we have the platform breadth to add a higher-value vulnerability management product than just a detection-only capability, right, which is sort of what we see with our competitors, where they'll do a scan and give you a list of things that you have to go fix, right? So with VMDR, we responded by being able to put together multiple different capabilities that included prioritization, inventory, detection with the agent, bundling the agent with the scanner at no additional cost and then having the ability to see the patches so that they can add on to that patch management. So that was something that we did as a strategic thing to say we can now go back and provide a value-added product that the competition cannot drop the price on because they just don't have those features to be able to say that we drop the price because now you don't have the features that they have. And so that's why that first year was strategic for us to do that transition for VM to VMDR and it happened to be net neutral at that time, but as we are seeing now that, that becomes stickier. We don't have to get into much of the price war because the capabilities are there, and then it generates additional capabilities for us to go to the same customer and maybe the opportunity to upsell file integrity monitoring, opportunity to upsell EDR, opportunity to upsell patch management, which are capabilities we don't see with our direct competitors that they can offer those capabilities. So we do see customers as they are coming on board. We saw a lot of our top new customers that came on board last couple of quarters bought multiple of those capabilities in the first purchase itself rather than buying just VM and then upgrading later. So that story of the platform, VMDR capabilities and paid add-ons as part of that, we feel, is resonating as we saw with some of the success we saw in Q4. And so we're more looking forward really to say, VMDR, we do -- we're excited about it. We do see that as a strategic thing based on the feedback from customers and is creating opportunities for us to do additional upsells.

Joo Mi, maybe to follow up. How would you characterize the pricing environment just overall when you look at your -- like today relative to maybe a couple of years ago?

I think that nothing really has changed from our perspective. We saw this coming. And a couple of years ago, when we decided that we could have taken different paths, and the reason why we focus on VMDR is exactly because of that. We were feeling the pricing pressure. And so the question was -- that all companies had, "Do we go to price war? Do we lower?" And we have the ability to do that. We have the option because of our high margins. We could have lowered our prices, but we didn't want to do that. We truly believe in the value of our products. So instead of doing that, what we said was, "Let's differentiate with our product, increase value and also increase price but not to that degree." And so that's what we did with VMDR. I think right now the pricing pressure that we feel is not any different than we felt before. And if anything, I think that we're able to go out and win -- our win rates are higher, right, and our sales rep productivity is higher. And I think that has to do with the fact that our market positioning has strengthened.

Got it. I want to pause and see if anyone has a question in the audience. Okay. I want to talk a little bit about the channel. So you mentioned investing more in the channel, enabling partners, particularly the MSSPs. Can you talk a little bit about your investments there? And what are some of the initiatives?

Yes. I think that the channels are interesting and they're changing. And for example, the MSSPs, today, they are focusing less on managing security solutions and provide -- instead providing higher value capabilities around ability to detect things and ability to alert the customer and fix things for them, right? And so traditionally, an MSSP would have to hire an engineering team and really put together 15, 20 different solutions to kind of bring that platform together based on a SIM. So as we are having conversations with these customers today, we -- with these partners, MSSP partners, we see that they see an opportunity with Qualys to consolidate more of what they do on a single platform, so they don't have to have that big of an engineering team trying to make things work with different products. A single product can give them many capabilities that they need, and then they can take that service to the customer. So they are focusing on the higher value that they can bring. So naturally, Qualys platform with all those additional capabilities built on to one is something that they see quite helpful. The other area that we see where we're partnering with -- from a partner perspective is also the cloud providers, right? And so with Microsoft, we have a good partnership where Qualys scanning capability is embedded in the back end for virtual machines as well as container images. So today, people, as they go to cloud, are looking for ability to get some of the security capabilities built into the workflow, built into the cloud. And so partnerships like that are interesting because our platform is cloud native as well and fits well with the cloud platform that these partners have. And so we look at that also as another channel, another opportunity for us to work together and provide ways that we can expand our penetration there.

On the international front, so that's been increasing as a percentage of overall sales for some years. I think you have some -- a decent exposure to Europe, in particular. I'm just curious, the macro picture is pretty fluid given the Russia-Ukraine conflict. Have you heard anything from customers so far as far as their spending intentions with Qualys? Or is it that just security in general is fairly defensive, so you haven't really seen much impact?

Yes. So far, we haven't heard anything from our customers in Europe. I think whatever is in motion is in motion. We haven't really seen any impact. I think it remains to be seen because one of the things that potential here is that cyber warfare. And so customers are on alert, and they are looking at their defenses and making sure that -- because this is not going to be just your traditional war. I think this is the ability for a nation state to actually attack private companies, private entities within the countries that they are in from remote locations, right? And so I think customers in our conversations are alert and focused on security, but we haven't seen so far any change either way from an environment perspective in terms of what they're looking to either increase or decrease their spend.

Got it. Just on M&A. Sumedh, you mentioned on the last earnings call that you'd be looking at both organic and inorganic opportunities for growth. I think Qualys, in the past, has done some tuck-ins here and there. Just curious, like, are you signaling a shift in your M&A philosophy towards perhaps doing more larger M&A or entertaining a larger M&A?

Not really a shift. I think we've always sort of been open to where it makes sense for us to look at even larger M&As. I think what has happened more traditionally, though Qualys has been sort of in the cloud, so to say, for the last 15 -- I mean the last 20 years. And so for us, when we look at a potential M&A, one of the key aspects of that is how does that fit into our unified platform, right? And -- because we don't want to go to customers with 8 different consoles, and they have a hard time doing that. So as we build capabilities, we'll invest significantly to really build that platform up to that level. And so when we look at M&A potential, whether it's for acqui-hire, whether it's for gaining customers, we always continue to be open to that, but our driving factor there is also to ensure that we have the ability to integrate that with the architecture of our current platform, which, for a long time, a lot of the solutions were on-prem solutions and could not integrate with what we have. So as newer capabilities come up, newer solutions are coming up, it's an area that we continue to keep our eye open because now we can actually have architectures that we can embed and bring on to our platform much easier. And if there is a potential to acquire customers or employees, we'll continue to be open to that.

And just a follow-up. I mean are there any particular areas that there are perhaps gaps within the Qualys portfolio that you could look to maybe plug the hole on?

Yes. I think we -- I know as we're getting into EDR, XDR and cloud and container security, we have capabilities there. Cloud and container security is an evolving area. Things are changing on the infrastructure side as well as security capabilities. And so I think we see opportunities there potentially as we look at different capabilities, features that are out there in the market or companies that are bringing focused cloud security features as one of the areas that potentially we can look at partnership in different ways would be cloud container security.

Okay. All right. Well, I've got 7 seconds left. So I think at this time, I'll just say thank you, Sumedh and Joo Mi. Really appreciate all your time.

All right. Thank you, Hamza.

Thank you.